According to the ACLU, Google Inc. (GOOG) regularly puts out patches and upgrades to its Android operating system -- the world's most used smartphone operating system. But in its 17-page report, it accuses America's top wireless carriers of recklessly endangering consumers by not rolling out updates fast enough.

The report calls out both of America's top two carriers, AT&T, Inc. (T) and Verizon Wireless -- jointly owned by Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD). But it also accuses Sprint Nextel Corp. (S) and Deutsche Telekom AG's (ETR:DTE) T-Mobile USA of contributing to the problem, as well.

The ACLU wants the FTC to force carriers either to offer customers refunds or to force them to provide warnings that they are inadequately protecting customers. The advocacy admits that it is unusual for it to look to protect consumers (which is typically the job of other more specialized advocacies), but it said in this case that the security risks from the carrier negligence could be used to justify Orwellian new federal laws -- like the controversial CISPA bill that recently passed the House.

ACLU lawyer Chris Soghoian, who authored and submitted the complaint last Tuesday, comments, "This is part of our attempt to reframe the cybersecurity agenda,. Before violating anyone's privacy, the government should first be addressing the low-hanging fruit that everyone can agree on."

The ACLU is targeting America's top carriers for sluggish Android updates.
[Image Source: Android and Me]

While the report may echo the frustrations of many Android users, it was met with scorn and derision by figures in the telecom industry. Verizon responded that it releases patches and updates "as quickly as possible", but that it must commit "rigorous testing" before any release. Carriers argue that the nature of Android -- which allows both OEMs and carriers to modify or disable certain functionality (e.g. tethering) -- makes testing a slower and more arduous process.

They argue that rushed updates could "break" smartphones causing them to gobble data unnecessarily, be unable to run apps, or be unable to make calls. Indeed this has happened on occasion in the past.

We know that Android doesn't push out security fixes for OS vulnerabilities on a timely basis because that is in the hands of third parties. On top of that they can't even keep on top of malware coming from their own channels, let alone all of the other malware out there that isn't hosted on Play. Either way, the number of compromised iOS devices doesn't even amount to more than a rounding error, it is nothing compared to the percentage of compromised Android devices, both through OS vulnerabilities and malware.

Of course a chart/statistic that shows crApple in bad light isn't accurate or sufficient enough for you UNLESS it is in a positive manner. 81% is a HUGE lead in OS vulnerabilities if you ask any level-headed tech user or non-crApple fanatic. I don't know who is worse, you or Tony.

quote: How can that be? How does the more secure operating system end up being the target of the lion’s share of attacks and malware? Symantec merely notes that most mobile attacks don’t rely on operating system vulnerabilities, therefore there’s no necessary correlation between attacks and exploitable security vulnerabilities.

quote: The problem for the company is that the company made a (bad) decision years ago to cede control over Android to its business partners: the carriers and handset makers that sell mobile phones. That was all in the interest of fostering growth.

...

That has meant putting security in the hands of those same business partners, even though they don’t bear any of the costs or reputation damage from hacked or compromised devices. You don’t, after all, read headlines saying that “malware spreading on Verizon phones,” or “malicious apps targets AT&T phones.” You hear about attacks on Android. The carrier and handset maker, except in rare cases, don’t warrant mention.

Those partners have turned a blind eye to the kind of basic “policing” that needs to be done to keep the mobile ecosystem safe. While Google reliably pushes out operating system updates, handset makers and carriers drag their feet distributing those updates to vulnerable customers – worried, perhaps, about service disruptions or other support issues that might result. The latest data from Google highlights the challenge facing the company, with just over 16% of Android users running Versions 4.1 or 4.2 the latest versions of the OS, dubbed “Jelly Bean” more than six months after its release. In contrast, 44% of Android users are still running the “Gingerbread” release – Versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities. Add to that the proliferation of third party Android application stores, which operate with little or no oversight, and you have a mobile environment with lots of “broken windows.”

This is on top of Google Play giving personal user information to developers without giving control of that to the customer, something neither Microsoft nor Apple do with iOS and WP.

I know you want to frame this as a fanboy argument, but reality is reality. iOS having more security vulnerabilities doesn't matter given that they are patched across all iOS devices, and when malware is kept out of the app store. Meanwhile malware runs rampant on Android while millions of new devices are left unpatched because carriers can't be bothered do deal with it and aren't being held accountable.